On Sun, Nov 18, 2012 at 5:00 PM, Simon Dieterle <[email protected]> wrote:
> Heyho, > > What do i have to do to use it? If you're a user of the device, nothing. The platform will automatically pin connections based on a pin list we provide. For most users that list will currently be empty, but as we become more confident that we aren't breaking good connections we'll be providing additional pins. If you're an application developer and just want to pin your own connections you should either implement a custom TrustManager or use the new http://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html extensions and check the list of certificates you get back out of it. Finally, if you're a website owner and you want to be pinned, please send an email to [email protected]. Thanks, Geremy Condra > > On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote: > >> Hey Jeffrey, >> >> Yep, we pin to the public key that issued the certificate. >> >> Thanks, >> Geremy Condra >> >> >> On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton <[email protected]>wrote: >> >>> Hi All/Nick. >>> >>> According to About Jelly Bean >>> (http://developer.android.com/**about/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html> >>> **), >>> libcore SSL supports pinning: >>> >>> "Certificate Pinning — The libcore SSL implementation now supports >>> certificate pinning. Pinned domains will receive a certificate >>> validation failure if the certificate does not chain to a set of >>> expected certificates. This protects against possible compromise of >>> Certificate Authorities." >>> >>> I know it tells me certificate pinning, but is that public key >>> pinning? I've been running tests on encrypted.google.com and gmail.com >>> for the last 18 months or so. Google rotates its certificates >>> regularly, but the underlying public key is static. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Android Security Discussions" group. >>> To post to this group, send email to android-secu...@**googlegroups.com. >>> >>> To unsubscribe from this group, send email to android-security-discuss+* >>> *[email protected]. >>> For more options, visit this group at http://groups.google.com/** >>> group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en> >>> . >>> >>> >> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/PyWUP-wazCIJ. > > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
